TLS-RPT Report Analyzer
Paste or upload an RFC 8460 SMTP TLS (TLS-RPT) report. See per-policy success and failure session counts, an aggregate TLS success rate, and plain-English failure reasons. Your report never leaves your browser.
Your report never leaves your browser.
How to get your TLS-RPT reports. Publish a TXT record at _smtp._tls.<yourdomain> with v=TLSRPTv1 and a rua address you control, for example v=TLSRPTv1;rua=mailto:tlsrpt@yourdomain.com. Sending servers that support RFC 8460 then deliver aggregate reports, one per UTC day, after a delay of several hours. Each report arrives as a JSON attachment (often gzip-compressed as .json.gz). Save it and upload it here, or open it in a text editor and paste the JSON. The TLS-RPT explained guide walks through publishing the record.
How to read TLS-RPT reports. A TLS-RPT report lists one or more policies, each with a count of successful TLS sessions and a count of failed sessions, plus failure details for the failures. Start with the aggregate success rate: 100% means every reporting sender negotiated TLS cleanly against your policy for that period. For any failures, read the result-type — it tells you whether the problem was a missing STARTTLS, an expired or untrusted certificate, a DANE TLSA mismatch, or an MTA-STS policy error. Check the policy-type (sts, tlsa, or no-policy-found) to confirm which policy the sender applied. Resolve failures while MTA-STS is still in testing mode, before you enforce.
TLS-RPT report analyzer FAQ
What is a TLS-RPT report?
A TLS-RPT report is a JSON document that a sending mail server sends to the address in your _smtp._tls DNS record. It summarizes, for one UTC day, how many of that sender’s SMTP TLS sessions to your domain succeeded or failed, with failure reasons. TLS-RPT is defined in RFC 8460. See the TLS-RPT explained guide for the full standard.
How do I get TLS-RPT reports?
Publish a TXT record at _smtp._tls.<yourdomain> with v=TLSRPTv1 and a rua address you control, for example v=TLSRPTv1;rua=mailto:tlsrpt@example.com. Senders that support the standard start delivering reports, one per UTC day, after a delay. Download the attachment and paste or upload it here.
What does policy-type (sts, tlsa, no-policy-found) mean?
Each result in a report names the policy that applied: sts means an MTA-STS policy was in effect, tlsa means a DANE TLSA record applied, and no-policy-found means neither was discovered so the session is reported without a policy context. Reading policy-type tells you whether the sender acted on MTA-STS, DANE, or neither.
Is it safe to analyze my report here?
Yes. Parsing happens entirely in your browser, so the file never leaves your machine. If you want to verify that, open the network tab in devtools and click Analyze — there is no outbound request. This pairs with the live TLS Check tool, which probes your domain’s current TLS, MTA-STS, and TLS-RPT posture.